Configure Windows 10 to Prompt for BitLocker PIN During Startup

November 7, 2018 updated by Admin Leave a reply »

Setting up BitLocker PIN can add an additional layer of security to your computer as it acts as a second authentication factor, which can prevent DMA attacks and unauthorized access to Windows logon screen. In this tutorial we’ll show you how to configure Windows 10 to prompt for BitLocker PIN during startup.

How to Enable BitLocker Startup PIN in Windows 10

Before proceed, you have to turn on BitLocker Drive Encryption for your system drive with TPM. Once you’ve enabled BitLocker, follow these steps to set up a pre-boot PIN:

  1. Open the Local Group Policy Editor and browse to:
    Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

    In the right pane, double-click on the “Require additional authentication at startup” the policy.

  2. Now you should select Enabled. Under “Configure TPM startup PIN”, select Require startup PIN with TPM. Click OK and then reboot the system.

  3. Open an elevated Command Prompt and run the following command to add a pre-boot PIN for your BitLocker-encrypted OS drive. Make sure you set a strong PIN that you can remember.
    manage-bde -protectors -add C: -TPMAndPIN

  4. Next, type manage-bde -status to check whether the TPMAndPin protector has been added.
  5. After all that is done, you’ll need to enter the BitLocker PIN each time you turn on your PC, before Windows boots up.

That’s it!